Using an external directory

This feature was not part of the security target during the SNS firewall qualification process.

Various features, including administrator authentication, require a connection to a directory. When this directory is outside the SNS firewall, the security (confidentiality and integrity) of traffic exchanged must be guaranteed and appliances (firewall, administration server and directory server) must be authenticated . Otherwise, attackers would be able to obtain information about the connection.

R28 | SNS-SMC | Configure the LDAP securely
If the LDAP service is configured:
  • The LDAPS protocol should be used, with the LDAP server presenting a certificate that has been signed by a controlled PKI,

  • The corresponding CA should be imported on the SNS firewall or SMC server,

  • The CA imported earlier should be used to validate the connection to the LDAP server.

Authentication from an external directory can be set up in several steps:

  • Enable the use of the directory (Configuration > Users > Directory configuration), choose its type then configure access:

    • The address of the directory,

    • The base DN,

    • The communication port,

    • The login and password of the SNS firewall’s access account on the directory. This account must comply with recommendation R8,

    • Password hashing.

  • Specify the structure of the directory (Structure tab). The attributes that the SNS firewall manages must be mapped to those in the LDAP directory. The Stormshield member attribute in particular, which contains the list of identifiers belonging to a group, must match its equivalent in the LDAP directory,

  • Set LDAP as the default authentication method (Configuration > Users > Authentication ).